The wallets are protected by PIN based on user's choice. We have a mitigation technique in place for Brute force attacks on this PIN.
A total of 3 wrong attempts are available to the user before the wallet is locked on the card. Upon 3 wrong attempts, the wallet gets locked and a random challenge is generated by the card along with a difficulty level is chosen based on the table of mentioned under the challenge calculation section.
The difficulty level is defined on number of consecutive wrong attempts made to access a PIN protected wallet. So first 3 wrong attempts would lock the wallet at first level which demands a difficulty of 2^255. The solution is explained under the maths involved section.
Once the hash challenge with (set difficulty) is solved by the device, it send the solution to the card for verification along with PIN to authenticate the user before unlocking the locked wallet. Upon challenge verification and passing the difficulty level, the card either unlocks the wallet (if provided PIN is correct) or increases the difficulty level of challenge by 1 level and again generates a new challenge for this updated difficulty level.
NOTE: All the communication of CyLock (challenge retrieval and verification) happens via symmetric encryption layer (based on AES-CBC algorithm).
Simple timer based mitigation techniques are not useful as they lack the security level of brute force as the card cannot maintain an active clock for this purpose. A time based solution limit on device would not solve the problem as the card can be operated with other device. The suggested implementation makes the challenge to be stored and solved off-card but allowing the verification and generation only on the card itself.
The following table shows the exponential increase in the difficulty of the challenge that needs to be solved in order to further make attempts to enter the PIN, once the wallet is locked. The challenge is hardened by the card on each successive wrong attempt of entering the PIN. Below table is the depiction of the actual implementation of the concept.
The difficulty of the challenge reduces the chances of Brute-force attack on the user’s PIN.
The hash rate of the X1Wallet device is 2.96E+03 hashes/second. All the calculations in the following table assume the same hash rate value.
Target |
P(Hash < Target) | Expected Number of Trials before Hash < Target |
Time to crack (secs) |
Time to crack (hrs) |
|---|---|---|---|---|
| Exponent | = Valid Hashes / Total Hashes | = 1 / P(Hash < Target) | = Number of Trials / Time for 1 Trial | |
256 |
1.00E+00 |
1 |
0.00 |
0.00 |
239 |
7.63E-06 |
131072 |
57.70 |
0.00 |
237 |
1.91E-06 |
524288 |
231.00 |
0.10 |
233 |
1.19E-07 |
8388608 |
3,695.40 |
1.00 |
231 |
2.98E-08 |
33554432 |
14,781.70 |
4.10 |
228 |
3.73E-09 |
268435456 |
118,253.50 |
32.80 |
226 |
9.31E-10 |
1073741824 |
473,014.00 |
131.40 |
223 |
1.16E-10 |
8589934592 |
3,784,112.20 |
1,051.10 |
220 |
1.46E-11 |
68719476736 |
30,272,897.20 |
8,409.10 |
200 |
1.39E-17 |
7.20576E+16 |
31,743,433,496,884.60 |
8,817,620,415.80 |
190 |
1.36E-20 |
7.3787E+19 |
32,505,275,900,809,800.00 |
9,029,243,305,780.50 |
180 |
1.32E-23 |
7.55579E+22 |
33,285,402,522,429,200,000.00 |
9,245,945,145,119,230.00 |
178 |
3.31E-24 |
3.02231E+23 |
133,141,610,089,717,000,000.00 |
36,983,780,580,476,900.00 |
176 |
8.27E-25 |
1.20893E+24 |
532,566,440,358,868,000,000.00 |
147,935,122,321,908,000.00 |
170 |
1.29E-26 |
7.73713E+25 |
34,084,252,182,967,500,000,000.00 |
9,467,847,828,602,090,000.00 |
165 |
4.04E-28 |
2.47588E+27 |
1,090,696,069,854,960,000,000,000.00 |
302,971,130,515,267,000,000.00 |
160 |
1.26E-29 |
7.92282E+28 |
34,902,274,235,358,700,000,000,000.00 |
9,695,076,176,488,540,000,000.00 |
158 |
3.16E-30 |
3.16913E+29 |
139,609,096,941,435,000,000,000,000.00 |
38,780,304,705,954,200,000,000.00 |
155 |
3.94E-31 |
2.5353E+30 |
1,116,872,775,531,480,000,000,000,000.00 |
310,242,437,647,633,000,000,000.00 |
150 |
1.23E-32 |
8.11296E+31 |
35,739,928,817,007,400,000,000,000,000.00 |
9,927,758,004,724,270,000,000,000.00 |
- Trial: An event that can occur. For example, a coin toss.
- Independent Trial: An event whose outcome doesn’t depend on the outcome of previous trials. For example, rolling a dice is an independent event.
Suppose we have an independent trial whose outcomes are success or failure.
Assume, the probability of success is p.
The expected number of trials before we get first success is 1/p.
Further reading: expected value of first success
The above example of a trial can be moulded for proof of work.
In our case, the trial is to generate a random number or hash. The trial is a success if the outcome is less than a predefined number else failure.
The device keeps on repeating the trial until success is reached.
Let’s assume that like Bitcoin we are using SHA-256. In each trial a random number is generated. It’s value is between 0 and 2^256. All the numbers have equal probability of being generated. It’s like rolling a dice. Instead of a 6 faced dice we have 2^256 faced dice.
From basic probability we know that,
Let’s suppose that our predefined number is 2^196.
Probability of generating a number less than 2^196 =
Number of ways we can get number less than 2^196 = 2^196 (we can get 0, 1, 2, … 2^196-1)
Total number of outcomes = 2^256
= 2^196/2^256
= 1/2^60
Now we know the probability of success, it is 1/2^60.
Note that the trial here is independent.
From the maths prerequisite we know that,
Expected number of attemptsAverage number of trials before we get our first success = 1 / p
= 1/(1/2^60)
= 2^60
This means that it is likely that after generating 2^60 hashes we’ll get our first success.
Now all we need to do is find out the time it requires to generate one hash and multiply it by 2^60.